no one is safe ...

Home Network Devices

OS-Command Injection via UPnP Interface in multiple D-Link devices

Vendor: D-Link
Devices: DIR-300 rev B / DIR-600 rev B / DIR-645 / DIR-845 / DIR-865

============ Vulnerable Firmware Releases: ============
DIR-300 rev B - 2.14b01
DIR-600 - 2.16b01
DIR-645 - 1.04b01
DIR-845 - 1.01b02
DIR-865 - 1.05b03

Other devices and firmware versions may be also vulnerable.

============ Vulnerability Overview: ============

  • Unauthenticated OS Command Injection

Linksys X3000 - Multiple Vulnerabilities

Device: X3000
Vendor: Linksys

============ Vulnerable Firmware Releases: ============

Firmware Version: v1.0.03 build 001 Jun 11,2012

============ Vulnerability Overview: ============

OS Command Injection

The vulnerability is caused by missing input validation and can be exploited to inject and execute arbitrary shell commands.

You need to be authenticated to the device or you have to find other methods for inserting the malicious commands.

* OS Command Injection - Vector 1 (1):
=> Parameter: ping_ip

Multiple Vulnerabilities in D-Link DSL-320B

Device: DSL-320B

Firmware Version: EU_DSL-320B v1.23 date: 28.12.2010

Vendor URL:

============ Vulnerability Overview: ============

  • Access to the Config file without authentication => full authentication bypass possible!: (1)




Your Telnet Backdoor is waiting for you

It is too bad if your device has a backdoor directly from the vendor. In some devices of the vendor D-Link you are able to find a nice telnet server listening on the internal network interface. The following output shows the results of a Nmap scan of three different D-Link DIR devices (DIR-300revA, DIR-300revB, DIR-600revB):

root@bt:~# nmap -sSV -p 23,144,222
Starting Nmap 6.01 ( ) at 2013-04-30 13:42 CEST
Nmap scan report for
Host is up (0.0067s latency).